Spring Bootframework~30 mins

CORS configuration in Security in Spring Boot - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Perf

CORS configuration in Security

📖 Scenario: You are building a Spring Boot web application that will be accessed from a frontend running on a different domain. To allow the frontend to communicate with your backend securely, you need to configure CORS (Cross-Origin Resource Sharing) in your Spring Security setup.

🎯 Goal: Configure CORS in Spring Security to allow requests from http://localhost:3000 with GET and POST methods.

📋 What You'll Learn

Create a CORS configuration bean allowing origin http://localhost:3000

Allow HTTP methods GET and POST in CORS configuration

Integrate the CORS configuration into Spring Security filter chain

Enable CORS support in the security configuration

💡 Why This Matters

🌍 Real World

Many web applications have frontend and backend running on different domains or ports. Configuring CORS properly in Spring Security allows safe cross-origin requests from the frontend to the backend.

💼 Career

Understanding how to configure CORS in Spring Security is essential for backend developers working on secure APIs that serve frontend applications hosted separately.

Progress0 / 4 steps

Create CORS configuration bean

Create a method called corsConfigurationSource that returns a CorsConfigurationSource bean. Inside it, create a CorsConfiguration object and set allowed origins to List.of("http://localhost:3000"). Then register this configuration for all paths "/**" using UrlBasedCorsConfigurationSource.

Spring Boot

# Your code here
// Create a method corsConfigurationSource returning CorsConfigurationSource bean

Need a hint?

Use CorsConfiguration and UrlBasedCorsConfigurationSource classes to create the CORS setup.

Add allowed HTTP methods to CORS configuration

In the corsConfigurationSource method, add allowed HTTP methods GET and POST to the CorsConfiguration object using setAllowedMethods.

Spring Boot

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
import java.util.List;

@Configuration
public class SecurityConfig {

    @Bean
    public CorsConfigurationSource corsConfigurationSource() {
        CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowedOrigins(List.of("http://localhost:3000"));
        // Add allowed methods GET and POST here
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
        return source;
    }
}

Need a hint?

Use configuration.setAllowedMethods(List.of("GET", "POST")) to allow these HTTP methods.

Configure Spring Security to use CORS

Add a SecurityFilterChain bean method called filterChain that takes HttpSecurity http as a parameter. Inside, enable CORS by calling http.cors(). Then disable CSRF with http.csrf().disable(). Finally, build and return the security filter chain.

Spring Boot

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
import java.util.List;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;

@Configuration
public class SecurityConfig {

    @Bean
    public CorsConfigurationSource corsConfigurationSource() {
        CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowedOrigins(List.of("http://localhost:3000"));
        configuration.setAllowedMethods(List.of("GET", "POST"));
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
        return source;
    }

    // Add SecurityFilterChain bean method filterChain here
    // Enable CORS and disable CSRF
}

Need a hint?

Use http.cors() to enable CORS support in Spring Security.

Complete Security Configuration class

Ensure the class is annotated with @Configuration and contains both corsConfigurationSource and filterChain bean methods as shown. This completes the CORS setup integrated with Spring Security.

Spring Boot

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
import java.util.List;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;

// Ensure class is annotated and contains both bean methods
// Your code here

Need a hint?

Make sure the class has @Configuration and both bean methods.